Our reference: D2015/009563
Mr Stephen Palethorpe
Select Committee into Health
PO Box 6100
Canberra ACT 2600
Dear Mr Palethorpe
Inquiry into health policy, administration and expenditure
Thank you for the opportunity to provide the Senate Select Committee on Health with this submission on the inquiry into health policy, administration and expenditure. I understand that the Committee is now focusing on improving access to and linkage between health data sets held by Australian government agencies.
The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency that exercises a range of functions and powers directed towards protecting the privacy of individuals under the Privacy Act 1988 (Cth) (the Privacy Act). The Privacy Act contains thirteen Australian Privacy Principles (APPs) which outline how Australian Government agencies, private sector organisations with an annual turnover of more than $3million, all private health service providers and some small businesses must handle, use and manage personal information.
The Privacy Act affords a higher level of protection to ‘sensitive information’, including ‘health information’. This recognises that inappropriate handling of sensitive information can have adverse consequences for an individual.
The Australian Information Commissioner has a number of additional functions related to the handling of health information:
- Under sections 95 and 95A of the Privacy Act, I have approved two sets of legally binding guidelines, issued by the National Health and Medical Research Council, which relate to the handling of health information for research purposes without individuals’ consent. In particular, the section 95 guidelines apply to information held by Australian government agencies.
- Under the National Health Act 1953, a former Privacy Commissioner issued the legally binding Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs. These guidelines cover all Australian Government agencies who handle MBS and PBS information. In particular, these guidelines require that information obtained from the MBS and PBS is not stored in the same database, and specify when claims information from the two programs may be linked.
- The OAIC is the independent regulator of the privacy aspects of the My Health Record system and the Healthcare Identifiers (HI) service. The privacy framework for the My Health Record system and HI Service is set out in the Privacy Act, the My Health Records Act 2012 and the Healthcare Identifiers Act 2010. The OAIC has a range of regulatory functions and enforcement powers under each of these Acts to ensure compliance with these privacy requirements.
Taking into consideration the Committee’s focus on improving access to and linkage between health data sets for policy development, I appreciate that personal information held by government can be, when it is handled appropriately, a valuable resource for policy, planning, research, innovation and providing better services.
If legislative and policy changes are made to facilitate or extend access to, and the use of, personal information in research and policy planning, it is important that an integrated approach to privacy management is taken from the beginning. This includes, for example:
- implementing legislative safeguards to limit the possibility of function creep
- considering whether any restriction on an individual’s right to privacy that arises from changes to how health data sets are used is reasonable, necessary and proportionate to the expected benefits
- considering whether personal information is in fact required, or whether de-identified or anonymised information will suffice
- undertaking a Privacy Impact Assessment (PIA) for each project that uses personal or de-identified information.
Adopting this integrated approach to privacy management will help ensure any changes to how health data sets are handled are transparent and protect the privacy of individuals. This gives individuals assurance that their privacy will be respected and facilitates good public policy.
Should the Committee require any further information, please contact Ms Melanie Drayton, Director Regulation and Strategy Branch on [contact details removed].
Timothy Pilgrim PSM
Acting Australian Information Commissioner
18 December 2015
 Under the Australian Information Commissioner Act 2010, the OAIC also has freedom of information and information policy functions.
 The term ‘sensitive information’ is defined in s 6 of the Privacy Act.
 The term ‘health information’ is defined in s 6FA of the Privacy Act.
 Further information on the section 95 and section 95A guidelines is available on the OAIC’s website.
 Further information on the Privacy Guidelines for the Medicare Benefits and Pharmaceutical Benefits Programs is available on the OAIC’s website.
 Further information on conducting a PIA is available in the OAIC’s Guide to undertaking privacy impact assessments.
Was this page helpful?
If you would like to provide more feedback, please email us at firstname.lastname@example.org